1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    JonathanLeeJ
    @firefox That is weird did you just try this or have you used it in the past?

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    M
    Hi, I had a problem with my home network today, so I checked pfsense and discovered that suricata had blocked the wan ip. After some tests and triggering some suricata alerts, the wan ip was blocked. I restarted pfsense and ran some more tests, but the problem no longer occurred. I then checked the wan interface settings and indeed the ip list does not include the wan ip, both now that it's working and before, when it was blocked. I'm using pfsense 2.8.0 and suricata 7.0.8_2. I use PPPoE to access the Internet.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    571 Topics
    3k Posts
    dennypageD
    @Leon-Straathof Data retention settings are handled inside of ntopng. Documentation here. Pay attention to the RRD note. Also, if you've turned on some of the slice and dice time series information (is off by default), I'd suggest turning them back off. These balloon the storage requirements and are of little actual use.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    J
    @LowKnee Just out of curiosity are you referring to the Database Sanity Check reporting that "these two counts should match" it the count is off by 1 (which I suspect is your case) there was a fix (manual code change) to change masterfile to mastercat in pfblolckerng.sh you want to change this change the line from s1="$(grep -cv ^${ip_placeholder2}$ ${masterfile})" to s1="$(grep -cv ^${ip_placeholder2}$ ${mastercat})" There is also an edge case if the count is greater than one, here is how that goes if in the deny directory you have say two flies (because of the list / file selection you have and they have repeat addresses file 1 has say 100 lines file 2 has say 10 lines (but those 10 lines are also in file 1, file 2 is a subset) you get two uniquely named deny files and then when the "count" is calculated on the deny directory it sees 110 entries when the "count:" is calculated on the "mastercat" file it only contains 100 entries the count doesn't match in my case the issue was caused by full list I had selected, also having an available subset lists (I had inadvertently selected one of) this causing two deny files with some of the same (overlapping data) I unselected the subset and bingo matched again, was a "my bad" selection. Edit: this applied to 25.07 (and 25.07.1) and pfblockerng 3.2.7 as it is labelled on those versions of pfSense

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    101 Topics
    2k Posts
    dennypageD
    @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: Interesting. I would have thought the initial reboot, which occurred as part of the upgrade, would have done the trick, but it took a second reboot, just now, to get things working. Glad you have it sorted. There was no difference in the output of usbconfig show_ifdrv at any point -- before or after unplugging/replugging the USB cable, nor after rebooting. ... Question: What would tell me whether or not a driver was loaded? If there were an attached driver, it should have shown up with the show_ifdrv command. If you use the command and look at the other usb devices, I think they will show attached drivers. I don't expect to see a driver attached to the ups, because there is a quirk that tells the OS to ignore that device (and not attach a driver). Look for idVendor and idProduct in the above output. The Vendor ID for your device is 0764, which corresponds to Cyber Power Systems, and the Product ID for your device is 0601, which is registered as "PR1500LCDRT2U UPS" (don't sweat an exact match for the name). You can see the quirk with the following command: [25.07-RC][root@fw]/root: usbconfig dump_device_quirks | grep 0764 VID=0x0764 PID=0x0005 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0501 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0601 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE [25.07-RC][root@fw]/root: Your device is third on the list. The HID_IGNORE quirk says to ignore the device and not attach a driver. @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: You might consider adding this resolution to the release notes for 2.8. LOL... sorry, I don't have input to the release notes (I don't work here). While I wrote and maintain various packages, including NUT, I'm still just a volunteer. Most packages are actually written by volunteers.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    496 Topics
    3k Posts
    R
    @provels said in updating to acme 1.0 breaks system beyond repair: need to restore from backup: This same mess happened to me, even w/o Acme, going from 25.07 to *.1. Blew, reinstalled w/ Crowdsec, blew again, reinstalled, clipped all the Crowdsec info from config.xml, restored config, back to normal. Crowdsec is a great concept, but I think I'm out. I never had this issue with Crowdec before the ACME update, even with updating from 2.7 to 2.8 there was no issues. In fact after restoring from a backup after the ACME update, Crowdsec reinstalled just fine, and this was before the recent release a couple days ago that contained a fix.

  • Discussions about the FRR Dynamic Routing package on pfSense

    294 Topics
    1k Posts
    yon 0Y
    said in Please update frr on Pfsense+ to FRR 10.3: https://redmine.pfsense.org/issues/15785 now frr 10.4.1

  • Discussions about the Tailscale package

    90 Topics
    603 Posts
    W
    @totalimpact in my case I dsid not reboot the router, after I copied the new key tailscale went online.

  • Discussions about WireGuard

    697 Topics
    4k Posts
    H
    I figured out the issue. I missed adding the 3rd locations Lan to the static routing. Now all is working perfect.
Log in to post
Load new posts
  • I

    SquidGuard XMLRPC page edit

    3
    0 Votes
    3 Posts
    1k Views
    I
    Editing this page is impirtant for me. firstly i need to edit this file.
  • P

    Snort 2.9.6.0 - Alerts not being logged

    20
    0 Votes
    20 Posts
    4k Views
    bmeeksB
    @priller: @priller: I then went back and tried to reproduce the original problem by removing the IP Blacklist while still having IP REP enable.  Not only could I not reproduce it, but I kept getting 'packets blacklisted' blocks and alerts without having the blacklist selected Ops, never mind, I was clicking around too fast.  Adding the blacklist to the interface 'sticks' without hitting Save, meaning you can leave the interface configuration and when you come back it is still there. You can be 'tricked' into thinking it is doing something. Only when you hit Save does it trigger the interface config reload. Same for when you remove a list. This behavior could have unintended consequences for the user.  You continue to see a given blacklist applied (or removed), but it is not doing anything. (Got'a protect dummy users from themselves!  :o ) You're right.  Did not think about that.  I will update it so changing a blacklist or whitelist does the restart. Bill
  • E

    Snort – Openssl-Heartbleed bug (CVE-2014-0160)

    16
    0 Votes
    16 Posts
    4k Views
    E
    Hi, following the steps to reproduce and bypass Snort: downloaded this script to test the vulnerability (and dump the memory) of the buggy pfsense –> https://gist.githubusercontent.com/sh1n0b1/10100394/raw/4f24ff250124a03ad2d3d6010b6402c3a483d2f3/ssltest.py the attacker runs the script (meanwhile the administrator of the pfsense is logged in from his browser); in the dump file is stored the session ID of the admin's session. 3)at this point, after the dump has occurred, Snort has recognised the attack and blocks the source ip. used a cookie editor (for example cookies manager+ from firefox addons) and create a custom cookie with the session ID extracted before. 5)now if we change the source ip (cell. tethering or using tor if can't change external ip) using the new cookies you will be able to Hijacking the session. However, for open source projects like this i think we should always see the cup half full( italian proverb :D), it's already so much what Snort does for the cost of 0. Edoardo
  • B

    Varnish - reverse proxy - backends order error

    6
    0 Votes
    6 Posts
    2k Views
    B
    Okay, so I reinstalled the varnish3 package, but I got this error in logs: php: /pkg_mgr_install.php: The command '/usr/local/etc/rc.d/varnish.sh' returned exit code '2', the output was 'kern.ipc.somaxconn: 16384 -> 16384 kern.maxfiles: 131072 -> 131072 kern.maxfilesperproc: 104856 -> 104856 kern.threads.max_threads_per_proc: 4096 -> 4096 Message from VCC-compiler: Reference to unknown backend 'BACKEND' at ('input' Line 34 Pos 28) .backend = BACKEND; –-------------------------#######- In director specification starting at: ('input' Line 32 Pos 1) director LBD01 round-robin { ########-------------------- Running VCC-compiler failed, exit 1 VCL compilation failed' I give up this package in my point of view is very alpha.
  • belleraB

    [SOLVED] squidclient

    5
    0 Votes
    5 Posts
    8k Views
    belleraB
    Sticky thread about Monitor Squid Status, https://forum.pfsense.org/index.php?topic=28835.0
  • H

    Web cache server is not working for me

    2
    0 Votes
    2 Posts
    690 Views
    belleraB
    pfSense version? Package version do you want to install? There are different squid package versions. LAN/WAN scenario? (One LAN or more, one WAN or more?).
  • A

    Firewall Rule, Squid and Squidguard

    6
    0 Votes
    6 Posts
    3k Views
    belleraB
    Yes, whitelists go before blacklists. That's all. If you need to do something like !block_bad_words filter_some_domains !block_with_big_black_lists you can see a trick at https://forum.pfsense.org/index.php?topic=73759.msg404261#msg404261
  • BBcan177B

    Snort IPrep

    15
    0 Votes
    15 Posts
    3k Views
    bmeeksB
    @BBcan17: @bmeeks: @BBcan17: I noticed this in the Blocked log? Not sure how that got added? I check the blocklist and its not there. 224 255.255.255.255 (spp_reputation) packets blacklisted - 04/15/14-13:10:56                               (portscan) UDP Filtered Portsweep - 04/15/14-10:19:22 Obviously it was a broadcast.  Could be a bug in the IP REP preprocessor code within Snort itself.  Done improperly, a test of a broadcast address could seem to match any IP address.  All the GUI package code does is set a handful of snort.conf parameters for the preprocessor. I guess add that to the Whitelst? Nah…I wouldn't bother.  You generally don't care if a broadcast is blocked because that is all subnet localized anyway.
  • T

    Prevent snort from blocking particular websites

    2
    0 Votes
    2 Posts
    2k Views
    bmeeksB
    @thelongdivider: The title says it all.  Whenever snort is enable even the most popular websites like amazon and newegg are blocked by snort, as well as a couple of less common websites that are important to me.  Is there any way to unblock these sites on a website to website basis? Welcome to the world of false positives.  It happens with all IDS systems.  You need to examine the alerts, and if you trust the web site and are sure it is a false positive, you have two options: (1) suppress the alert or (2) add the host to a Pass List.  Here are some links to the Documentation Wiki with some details on each method. https://doc.pfsense.org/index.php/Snort_suppress_list https://doc.pfsense.org/index.php/Snort_passlist There is also a long thread here in the Packages forum containing known false positives and the corresponding Suppress List entries for them.  Here is a link to that thread: https://forum.pfsense.org/index.php?topic=64674.0 Bill
  • I

    Snort: Alerts in the suppress list still visible in logg

    15
    1 Votes
    15 Posts
    4k Views
    P
    @BBcan17: @Priller, Did you try to re-install Snort? Or a De-install and re-install (Make sure the Checkbox is click to keep settings after deinstall) My bad for hijacking the original Snort problem reported.  Snort is working fine for me, it's Suricata that is exhibiting the identical problem that the OP reported with Snort. So, for Suricata, yes I did try a de-install and re-install.  I performed that both keeping the config … and also a total removed and rebuilt the config by hand.
  • ?

    Upgraded pfSense 2.1 with Quagga OSPF, exiting on signal 6

    6
    0 Votes
    6 Posts
    2k Views
    N
    Looks like the dead timer is doing it (40s default), although it gets the hello messages quite regularly: 08:37:50.196698 IP x.x.x.244 > 224.0.0.5: OSPFv2, Hello, length 68 08:37:59.869506 IP x.x.x.244 > 224.0.0.5: OSPFv2, Hello, length 68 08:38:09.148189 IP x.x.x.244 > 224.0.0.5: OSPFv2, Hello, length 68 08:38:18.830889 IP x.x.x.244 > 224.0.0.5: OSPFv2, Hello, length 68
  • S

    Cannot Install OpenVPN Client Export Utililty

    6
    0 Votes
    6 Posts
    2k Views
    S
    Thanks jimp!  That worked!
  • F

    Squidguard + SSL error page

    5
    0 Votes
    5 Posts
    2k Views
    belleraB
    @mendilli: if you want error page to bee seen for https sites, you should use squid3-dev with https transparent option As @mendilli said, you need squid3-dev + squidGuard+squid3 for SSL Bump (SSL interception). Steps (in Spanish), use translate.google.com https://forum.pfsense.org/index.php?topic=73007.msg402349#msg402349 https://forum.pfsense.org/index.php?topic=73740.0
  • A

    Squid3-dev 3.3.10 pkg 2.2.2 failed to start after upgrading

    2
    0 Votes
    2 Posts
    1k Views
    belleraB
    I saw strange numbers in this case: https://forum.pfsense.org/index.php?topic=74567.0 Look for interfaces activated at your squid3-dev And look for this reported bug, https://forum.pfsense.org/index.php?topic=62256.msg407762#msg407762
  • J

    Free Radius + Captive Portal No valid RADIUS responses received

    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • N

    Zebedee

    1
    0 Votes
    1 Posts
    648 Views
    No one has replied
  • O

    DansGuardian AD Groups

    2
    0 Votes
    2 Posts
    1k Views
    O
    Anyone?
  • A

    Upgrade causes snort to enable barnyard (Snort 2.9.5.6 pkg v3.0.6)

    4
    0 Votes
    4 Posts
    1k Views
    bmeeksB
    @adam65535: Upgrade of the primary… Now the primary has barnyard enabled for both LAN and WAN too.  Not sure what is causing this.  Not a big deal though.  I just disabled it on the primary for both instances and the backup server got the synced snort config and is disabled there now too. There was a little logic error I introduced into the Barnyard2 migration code that migrates old settings into the new format to support the enhanced output plugins.  I was keying off only one of two parameter that must BOTH be true for Barnyard to have been enabled under the old config.  As a consequence of only looking at one and not both, the migration script was turning on Barnyard2 if it had ever been enabled in the past on an interface. I am fixing that for future upgrades, but for this one the damage is sort of done.  Thankfully it's not a fatal thing.  Just disable Barnyard2 on the interface again and save the update. There are some problems with updating synced pairs with sync still on.  I recommend turning off sync, upgrading all the machines to the same version, then re-enable sync. Bill
  • P

    [Suricata IDS] Extracting encrypted and unencrypted data files

    9
    0 Votes
    9 Posts
    4k Views
    bmeeksB
    @pfNeo: I did another test and I did find some files in the directory, but not the actual dll file. I found file.1 and file.1.meta. file.1 contained the following (stripped) text {"status":"success","url":"http:\/\/www.SOMEWEBSITE.com\/PHPFILE.php?=somecodeinphp"} file.1.meta contains the following TIME:              [stripped content] SRC IP:            [stripped content] DST IP:            [stripped content] PROTO:              [stripped content] SRC PORT:          [stripped content] DST PORT:          [stripped content] HTTP URI:          [stripped content] HTTP HOST:        [stripped content] HTTP REFERER:      [stripped content] HTTP USER AGENT:  [stripped content] FILENAME:          /URLPATH/file.dll MAGIC:            <unknown>STATE:            CLOSED SIZE:              126</unknown> Thanks for the feedback.  Just got back in the country from a vacation and still catching up.' Sorry about giving you the wrong rules file name.  It is custom.rules.  The snort.rules are all the pre-packaged rules. As I mentioned, testing of the file capture ability in Suricata is not something I had a chance to test.  One possible issue is I may have the "magic file" setting messed up.  If you have some knowledge and want to experiment, you can edit that feature in the suricata.yaml file.  There is a "template" for that file in /usr/local/pkg/suricata called suricata_yaml_template.inc. Please post back what you discover.  I want to get this working properly.  I have been multitasking with the Snort package and working on Suricata blocking.  This has limited my time to experiment more with this feature. Bill
  • bmeeksB

    NEW - Suricata 1.4.6 IDS pkg. v0.2-BETA Released

    39
    0 Votes
    39 Posts
    18k Views
    bmeeksB
    @Supermule: Thanks a billion Bill!! Youre SO much the man of this project right now! Thank you.  One caveat for Suricata blocking.  Initially it will have to operate the same way as Snort does using libpcap.  Thus it won't be true inline-mode IPS.  Ermal has to make some changes in the ipfw code within pfSense in order to accommodate true inline IPS mode.  However, due to the problem of context switching between kernel mode and user-land, IPS mode when it comes won't be nearly as fast as the pseudo-IPS mode Snort uses (and that Suricata will use initially).  So true inline IPS is probably not going to be very useful for heavily loaded firewalls.  That's just the nature of the beast unless you go to highly customized code, and if you do that then you can't easily follow the upstream updates. The kernel changes to support true IPS may or may not make it into 2.2.  That is not up to me.  It is up to the pfSense team.  However, I can include the pseudo-IPS mode without those kernel changes.  That means pseudo-IPS can work with 2.1.x releases.  The pseudo-IPS mode is what I am working on now. Bill
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.